When adding new crates, cargo vet check (and probably cargo vet suggest) will find a path-of-least-effort to get the new crates certified. This can result in some slightly confusing suggestions since these commands look at all imports as well. It'd be nice if, when a cargo vet diff is suggested which is based on something other than a local audit, the certification reason for the base of the diff is displayed.
For example:
recommended audits for safe-to-deploy:
Command Publisher Used By Audit Size
cargo vet diff webpki-roots 0.23.0 0.23.1 ctz hyper-rustls 4 files changed, 81 insertions(+), 5 deletions(-)
NOTE: webpki-roots 0.23.0 is certified by imported audits from `bytecode-alliance`
While this might result in a bit more noise in the output, as an auditor it feels much better to have the full picture of the chain of audits and why a particular command is suggested. For consistency, it might also be a good idea to include the note for diffs from local audits, something like NOTE: webpki-roots 0.23.0 is certified by audits in the local supply chain.
bholley
commented
1 year ago
When adding new crates,
cargo vet check(and probablycargo vet suggest) will find a path-of-least-effort to get the new crates certified. This can result in some slightly confusing suggestions since these commands look at all imports as well. It'd be nice if, when acargo vet diffis suggested which is based on something other than a local audit, the certification reason for the base of the diff is displayed.For example:
While this might result in a bit more noise in the output, as an auditor it feels much better to have the full picture of the chain of audits and why a particular command is suggested. For consistency, it might also be a good idea to include the note for diffs from local audits, something like
NOTE: webpki-roots 0.23.0 is certified by audits in the local supply chain.